IBM Support

Disablement of TLSv1.0 and TLSv1.1 Protocols in IBM JDK 8.0 SR6 FP30, 7.1 SR4 FP85, and 7.0 SR10 FP85 on IBM i OS

Flashes (Alerts)


Abstract

The TLSv1.0 and TLSv1.1 protocols have been disabled for use with IBM JDK 8.0, 7.1, and 7.0 on the IBM i OS after installing 8.0 SR6 FP30, 7.1 SR4 FP85, and 7.0 SR10 FP85 when applying the following IBM i Java Group PTF level for your IBM i OS VRM.

Release 7.4 -- SF99665 level 11
Release 7.3 -- SF99725 level 22
Release 7.2 -- SF99716 level 32
Release 7.1 -- SF99572 level 46

Content

After updating your IBM i OS Java Group PTF level and installing the Java 8.0 SR6 FP30, 7.1 SR4 FP85, and 7.0 SR10 FP85 or newer service release fix pack on the IBM i OS; a "javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)" error message is thrown when using the TLSv1.0 or TLSv1.1 protocol on the TLS connection.  This is because the TLSv1.0 and TLSv1.1 protocols have been disabled for use with IBM JDK 8.0, 7.1, and 7.0 on the IBM i OS.  IBM recommends customers use the more secure TLSV1.2 or TLSv1.3 protocol instead.
Please refer to the following IBM Documentation on this security change:
To get what's new in security in each JDK, you can reference following links.
           What's new in Java 80
           What's new in Java 71
           What's new in Java 70
TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3). From this release, TLS 1.0 and 1.1 are disabled by default. If you encounter issues, you can, at your own risk, re-enable the older versions by removing the appropriate TLSv1 or TLSv1.1 string(s) from the jdk.tls.disabledAlgorithms security property in the JAVA_HOME/jre/lib/security/java.security configuration file.
If you are encountering TLS connectivity issues using the TLSv1.1 or TLSv1.0 protocol, IBM strongly recommends you update your Java server/client application to use either the TLSv1.2 or TLSV1.3 protocol, if possible.  Refer to the following document for more information on how to enable your Java application to use TLSv1.2:

If you are unable to use the TLSv1.3 or TLSv1.2 protocol, refer to "Enabling the TLSv1.1 and TLSv1.0 Protocols with IBM Java 8, 7.1, and 7.0 on the IBM i OS".

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000001gHbAAI","label":"Java Development Kit->Java Secure Socket Extension"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]

Document Information

Modified date:
06 August 2021

UID

ibm16478973

Page Feedback